CN101917272B - Secret communication method and system among neighboring user terminals - Google Patents

Secret communication method and system among neighboring user terminals Download PDF

Info

Publication number
CN101917272B
CN101917272B CN2010102519965A CN201010251996A CN101917272B CN 101917272 B CN101917272 B CN 101917272B CN 2010102519965 A CN2010102519965 A CN 2010102519965A CN 201010251996 A CN201010251996 A CN 201010251996A CN 101917272 B CN101917272 B CN 101917272B
Authority
CN
China
Prior art keywords
user terminal
key
sta1
sta2
switching equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010102519965A
Other languages
Chinese (zh)
Other versions
CN101917272A (en
Inventor
李琴
曹军
铁满霞
黄振海
杜志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Iwncomm Co Ltd
Original Assignee
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co Ltd filed Critical China Iwncomm Co Ltd
Priority to CN2010102519965A priority Critical patent/CN101917272B/en
Publication of CN101917272A publication Critical patent/CN101917272A/en
Priority to PCT/CN2011/073367 priority patent/WO2012019466A1/en
Priority to EP11816025.8A priority patent/EP2605447B1/en
Priority to US13/814,899 priority patent/US8850190B2/en
Application granted granted Critical
Publication of CN101917272B publication Critical patent/CN101917272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a secret communication method and a secret communication system among neighboring user terminals. The method comprises the following steps of: 1) selecting neighboring encryption exchange equipment; 2) establishing an inter-station key; and 3) performing data secrete communication. In a security network architecture, when the neighboring user terminals perform secrete communication, the secret communication method and the secret communication system among the neighboring user terminals use the neighboring exchange equipment shared by the neighboring user terminals to establish the inter-station key, so that the subsequent communication can realize secrete transmission of data by directly using the inter-station key. In the method, the neighboring user terminals needing for secrete communication do not need pairwise authentication, so that the network load is reduced.

Description

Secret communication method and system between a kind of neighboring user terminals
Technical field
The present invention relates to the communications network security application, relate in particular to secret communication method and system between a kind of neighboring user terminals.
Background technology
Cable LAN is generally broadcast type network, the data that node sends, and other nodes can both be received.Each nodes sharing channel on the network, this has brought great potential safety hazard to network.The assailant just can catch packets all on the network, thereby steal key message as long as access network is monitored.
The local area network (LAN) LAN of existing standard GB/T 15629.3 (corresponding IEEE 802.3 or ISO/IEC 8802-3) definition does not provide data encryption method.In external this research field, the IEEE802.1AE standard that IEEE formulated provides data encryption protocol for the protection Ethernet, and adopts the safety measure of hop-by-hop encryption to realize that the safety of data is passed between the network node.But the safety measure of this hop-by-hop encryption only has been directed against the situation that has between terminal use A and the terminal use B and be merely the encryption switching equipment; Can not solve packet between terminal use A and the terminal use B without any encryption switching equipment, i.e. the application scenarios of secure communication between neighboring user terminals.Agreement itself does not provide secure communication mechanism between neighboring user terminals.
Have in the industry that the scholar points out, can set up the shared key between neighboring user terminals through authentication scheme.Though this method can realize this without the secure communication between the neighboring user terminals of any encryption switching equipment, in local area network applications, neighbours' user terminal is all shared key through differentiating to set up in twos each other, can increase network burden undoubtedly.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology; The invention provides secret communication method and system between a kind of neighboring user terminals, with solve described in the background technology without between the neighboring user terminals of any encryption switching equipment if through differentiating the problem that key increases network burden of sharing of setting up.
Technical solution of the present invention is: secret communication method between a kind of neighboring user terminals, and its special character is: this method may further comprise the steps:
1) select neighbours to encrypt switching equipment;
2) set up key between the station;
3) carry out data security communication.
Above-mentioned steps 1) concrete implementation is:
1.1.1) the first user terminal STA1 sends neighbours and encrypt switching equipment and select request to divide into groups to give the second user terminal STA2; Said neighbours encrypt switching equipment and select to comprise that the neighbours of the first user terminal STA1 encrypt the information list of switching equipment in the request grouping;
1.1.2) after the second user terminal STA2 receives that neighbours that the first user terminal STA1 sends encrypt switching equipment and select request to divide into groups; The neighbours that check the second user terminal STA2 encrypt the switching equipment tabulation; Select the total neighbours of and the first user terminal STA1 to encrypt switching equipment, the structure neighbours encrypt switching equipment and select respond packet to send to the first user terminal STA1; Said neighbours encrypt the information that switching equipment selects to comprise in the respond packet that the second user terminal STA2 selects encrypts switching equipment with the total neighbours of the first user terminal STA1;
1.1.3) after the first user terminal STA1 receives that neighbours that the second user terminal STA2 sends encrypt switching equipment and select respond packet, the information of encrypting switching equipment with the own neighbours that have of extracting that the second user terminal STA2 selects.
Above-mentioned steps 1) concrete implementation is:
1.2.1) the first user terminal STA1 sends neighbours and encrypt switching equipment and select request to divide into groups to give the second user terminal STA2; Said neighbours encrypt switching equipment and select the neighbours that comprise the first user terminal STA1 in the request grouping to encrypt the information list field of switching equipment and the AES security parameter external member list field that the first user terminal STA1 supports;
1.2.2) after the second user terminal STA2 receives that neighbours that the first user terminal STA1 sends encrypt switching equipment and select request to divide into groups; Encrypt the AES security parameter external member list field of switching equipment list information field and first user terminal STA1 support according to the neighbours of the first user terminal STA1 in dividing into groups; Select the total neighbours of and the first user terminal STA1 to encrypt switching equipment and an AES security parameter external member of all supporting with the first user terminal STA1, the structure neighbours encrypt switching equipment selection respond packet and send to the first user terminal STA1; Said neighbours encrypt switching equipment and select to comprise in the respond packet that the second user terminal STA2 selects encrypts the information of switching equipment and one the second security parameter external member field such as AES that user terminal STA2 also supports that the second user terminal STA2 selects with the total neighbours of the first user terminal STA1 from the AES security parameter external member tabulation that the first user terminal STA1 supports;
1.2.3) after the first user terminal STA1 received that neighbours that the second user terminal STA2 sends encrypt switching equipment and select respond packet, that extracts that the second user terminal STA2 selects encrypted the information of switching equipment and the AES security parameter external member that second user terminal STA2 selection both sides all support with own total neighbours.
Above-mentioned steps 2) concrete implementation is:
2.1.1) key request packet is given and is encrypted switching equipment ESW-B between the first user terminal STA1 dispatching station, request assist to set up and the second user terminal STA2 between the station between key; The identification information that comprises the second user terminal STA2 between said station in the key request packet;
2.1.2) encrypt between the station that switching equipment ESW-B receives that the first user terminal STA1 sends after the key request packet, generate a random number as key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2, key announce packet sends to the second user terminal STA2 between the structure station; Comprise the identification information of the first user terminal STA1 between said station in the key announce packet and with the shared key K EY that encrypts between the switching equipment ESW-B and the second user terminal STA2 B-2The STAKey that protects 1-2The enciphered message field;
2.1.3) the second user terminal STA2 receives and encrypt between the station that switching equipment ESW-B sends after the key announce packet, utilizes the key K EY between the second user terminal STA2 and the encryption switching equipment ESW-B B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the first user terminal STA1 between the station between key; Key announce response packet sends to and encrypts switching equipment ESW-B between the structure station then; The identification information that comprises the first user terminal STA1 between said station in the key announce response packet;
2.1.4) encrypt between the station that switching equipment ESW-B receives that the second user terminal STA2 sends after the key announce response packet; Learn that the second user terminal STA2 has received and the first user terminal STA1 between the station between key information, key response grouping sends to the first user terminal STA1 between the structure station; Comprise the identification information of the second user terminal STA2 between said station in the key response grouping and with the shared key K EY that encrypts between the switching equipment ESW-B and the first user terminal STA1 B-1The STAKey that protects 1-2The enciphered message field;
2.1.5) the first user terminal STA1 receives and encrypt between the station that switching equipment ESW-B sends after the key response grouping, utilizes the key K EY between the first user terminal STA1 and the encryption switching equipment ESW-B B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the second user terminal STA2 between the station between key.
Above-mentioned steps 3) concrete implementation is: through step 2) stand between key set up process and set up key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2After, just can utilize between the first user terminal STA1 and the second user terminal STA2 that key carries out data security communication between this station: the data that send to the second user terminal STA2 from the first user terminal STA1 are utilized STAKey by the first user terminal STA1 1-2Encrypt transmission, utilize STAKey after the second user terminal STA2 receives 1-2Decipher; The data that send to the first user terminal STA1 from the second user terminal STA2 are utilized STAKey by the second user terminal STA2 1-2Encrypt transmission, utilize STAKey after the first user terminal STA1 receives 1-2Decipher.
Above-mentioned steps 2) concrete implementation is:
2.2.1) key request packet is given and is encrypted switching equipment ESW-B between the first user terminal STA1 dispatching station, request assist to set up and the second user terminal STA2 between the station between key; The identification information and the message integrity identifying code MIC field that comprise the second user terminal STA2 between said station in the key request packet, said message integrity identifying code MIC1 field are that the first user terminal STA1 utilizes and encrypt the shared key K EY between the switching equipment ESW-B B-1To the Hash Value that other fields calculate through hash function except that the MIC1 field in dividing into groups;
2.2.2) encrypt between the station that switching equipment ESW-B receives that the first user terminal STA1 sends after the key request packet; Verify at first whether message integrity identifying code MIC1 field is correct; If it is incorrect; Then abandon this grouping,, then generate a random number as key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 if correct 1-2, key announce packet sends to the second user terminal STA2 between the structure station; Comprise the identification information of the first user terminal STA1 between said station in the key announce packet and with the shared key K EY that encrypts between the switching equipment ESW-B and the second user terminal STA2 B-2The STAKey that protects 1-2Enciphered message field and message integrity identifying code MIC2 field; Said message integrity identifying code MIC2 field is the shared key K EY that encrypts between the switching equipment ESW-B utilization and the second user terminal STA2 B-2To the Hash Value that other fields calculate through hash function except that the MIC2 field in dividing into groups;
2.2.3) the second user terminal STA2 receives and encrypt between the station that switching equipment ESW-B sends after the key announce packet verify at first whether message integrity identifying code MIC2 field correct, if incorrect, then abandons this grouping; If correct, then utilize the second user terminal STA2 and encrypt the key K EY between the switching equipment ESW-B B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the first user terminal STA1 between the station between key; Key announce response packet sends to and encrypts switching equipment ESW-B between the structure station then; The identification information and the message integrity identifying code MIC3 field that comprise the first user terminal STA1 between said station in the key announce response packet; Said message integrity identifying code MIC3 field is that the second user terminal STA2 utilizes and encrypt the shared key K EY between the switching equipment ESW-B B-2To the Hash Value that other fields calculate through hash function except that the MIC3 field in dividing into groups;
2.2.4) encrypt between the station that switching equipment ESW-B receives that the second user terminal STA2 sends after the key announce response packet, verify at first whether message integrity identifying code MIC3 field is correct, if incorrect, then abandon this grouping; If correct, learn then that the second user terminal STA2 has received and the first user terminal STA1 between the station between key information, key response grouping sends to the first user terminal STA1 between the structure station; Comprise the identification information of the second user terminal STA2 between said station in the key response grouping and with the shared key K EY that encrypts between the switching equipment ESW-B and the first user terminal STA1 B-1The STAKey that protects 1-2Enciphered message field and message integrity identifying code MIC4 field; Said message integrity identifying code MIC4 field is the shared key K EY that encrypts between the switching equipment ESW-B utilization and the first user terminal STA1 B-1To the Hash Value that other fields calculate through hash function except that the MIC4 field in dividing into groups;
2.2.5) the first user terminal STA1 receives and encrypt between the station that switching equipment ESW-B sends after the key response grouping verify at first whether message integrity identifying code MIC4 field correct, if incorrect, then abandons this grouping; If correct, then utilize the first user terminal STA1 and encrypt the key K EY between the switching equipment ESW-B B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the second user terminal STA2 between the station between key.
Above-mentioned steps 2) concrete implementation is:
2.3.1) key request packet is given and is encrypted switching equipment ESW-B between the first user terminal STA1 dispatching station, request assist to set up and the second user terminal STA2 between the station between key; Comprise the identification information of the second user terminal STA2 and the AES security parameter external member list field that the first user terminal STA1 supports between said station in the key request packet;
2.3.2) encrypt between the station that switching equipment ESW-B receives that the first user terminal STA1 sends after the key request packet, generate a random number as key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2, key announce packet sends to the second user terminal STA2 between the structure station; Comprise the identification information of the first user terminal STA1 between said station in the key announce packet and with the shared key K EY that encrypts between the switching equipment ESW-B and the second user terminal STA2 B-2The STAKey that protects 1-2The AES security parameter external member list field supported of enciphered message field and the first user terminal STA1;
2.3.3) the second user terminal STA2 receives and encrypt between the station that switching equipment ESW-B sends after the key announce packet, utilizes the key K EY between the second user terminal STA2 and the encryption switching equipment ESW-B B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the first user terminal STA1 between the station between key; Key announce response packet sends to and encrypts switching equipment ESW-B between the structure station then; Key announce response packet comprises the AES security parameter external member field that the identification information of the first user terminal STA1 and one the second user terminal STA2 that the second user terminal STA2 selects also support between said station from the AES security parameter external member tabulation that the first user terminal STA1 supports;
2.3.4) encrypt between the station that switching equipment ESW-B receives that the second user terminal STA2 sends after the key announce response packet; Learn that the second user terminal STA2 has received and the first user terminal STA1 between the station between key information, key response grouping sends to the first user terminal STA1 between the structure station; Comprise the identification information of the second user terminal STA2 between said station in the key response grouping and with the shared key K EY that encrypts between the switching equipment ESW-B and the first user terminal STA1 B-1The STAKey that protects 1-2The AES security parameter external member field selected of enciphered message and the second user terminal STA2;
2.3.5) the first user terminal STA1 receives and encrypt between the station that switching equipment ESW-B sends after the key response grouping, utilizes the key K EY between the first user terminal STA1 and the encryption switching equipment ESW-B B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the second user terminal STA2 between the station between key, extract the AES security parameter external member information that the second user terminal STA2 selects simultaneously and preserve.
Above-mentioned steps 2) concrete implementation is:
2.4.1) key request packet is given and is encrypted switching equipment ESW-B between the first user terminal STA1 dispatching station, request assist to set up and the second user terminal STA2 between the station between key; The AES security parameter external member list field that comprises identification information, message integrity identifying code MIC1 field and the first user terminal STA1 support of the second user terminal STA2 between said station in the key request packet; Said message integrity identifying code MIC1 field is that the first user terminal STA1 utilizes and encrypt the shared key K EY between the switching equipment ESW-B B-1To the Hash Value that other fields calculate through hash function except that the MIC1 field in dividing into groups;
2.4.2) encrypt between the station that switching equipment ESW-B receives that the first user terminal STA1 sends after the key request packet, verify at first whether message integrity identifying code MIC1 field is correct, if incorrect, then abandon this grouping; If correct, then generate a random number as key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2, key announce packet sends to the second user terminal STA2 between the structure station; Comprise the identification information of the first user terminal STA1 between said station in the key announce packet and with the shared key K EY that encrypts between the switching equipment ESW-B and the second user terminal STA2 B-2The STAKey that protects 1-2The AES security parameter external member list field supported of enciphered message field, message integrity identifying code MIC2 field and the first user terminal STA1; Said message integrity identifying code MIC2 field is the shared key K EY that encrypts between the switching equipment ESW-B utilization and the second user terminal STA2 B-2To the Hash Value that other fields calculate through hash function except that the MIC2 field in dividing into groups;
2.4.3) the second user terminal STA2 receives and encrypt between the station that switching equipment ESW-B sends after the key announce packet verify at first whether message integrity identifying code MIC2 field correct, if incorrect, then abandons this grouping; If correct, then utilize the second user terminal STA2 and encrypt the key K EY between the switching equipment ESW-B B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the first user terminal STA1 between the station between key; Key announce response packet sends to and encrypts switching equipment ESW-B between the structure station then; Key announce response packet comprises AES security parameter external member field and the message integrity identifying code MIC3 field that one second user terminal STA2 that the identification information, the second user terminal STA2 of the first user terminal STA1 are selected also supports between said station from the AES security parameter external member tabulation that the first user terminal STA1 supports; Said message integrity identifying code MIC3 field is that the second user terminal STA2 utilizes and encrypt the shared key K EY between the switching equipment ESW-B B-2To the Hash Value that other fields calculate through hash function except that the MIC3 field in dividing into groups;
2.4.4) encrypt between the station that switching equipment ESW-B receives that the second user terminal STA2 sends after the key announce response packet, verify at first whether message integrity identifying code MIC3 field is correct, if incorrect, then abandon this grouping; If correct, learn then that the second user terminal STA2 has received and the first user terminal STA1 between the station between key information, key response grouping sends to the first user terminal STA1 between the structure station; Comprise the identification information of the second user terminal STA2 between said station in the key response grouping and with the shared key K EY that encrypts between the switching equipment ESW-B and the first user terminal STA1 B-1The STAKey that protects 1-2Enciphered message field, the second user terminal STA2 AES security parameter external member field and the message integrity identifying code MIC4 field selected; Said message integrity identifying code MIC4 field is the shared key K EY that encrypts between the switching equipment ESW-B utilization and the first user terminal STA1 B-1To the Hash Value that other fields calculate through hash function except that the MIC4 field in dividing into groups;
2.4.5) the first user terminal STA1 receives and encrypt between the station that switching equipment ESW-B sends after the key response grouping verify at first whether message integrity identifying code MIC4 field correct, if incorrect, then abandons this grouping; If correct, then utilize the first user terminal STA1 and encrypt the key K EY between the switching equipment ESW-B B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the second user terminal STA2 between the station between key, extract the AES security parameter external member information that the second user terminal STA2 selects simultaneously and preserve.
Above-mentioned steps 3) concrete implementation is: through step 2) stand between key set up process and set up key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2After, just can utilize between the first user terminal STA1 and the second user terminal STA2 that key carries out data security communication between this station: the data that send to the second user terminal STA2 from the first user terminal STA1 are utilized STAKey by the first user terminal STA1 1-2Encrypt transmission, utilize STAKey after the second user terminal STA2 receives 1-2Decipher; The data that send to the first user terminal STA1 from the second user terminal STA2 are utilized STAKey by the second user terminal STA2 1-2Encrypt transmission, utilize STAKey after the first user terminal STA1 receives 1-2Decipher.
Secret signalling between a kind of neighboring user terminals, its special character is: said system comprise neighbours' each other the first user terminal STA1 and the total neighbours of the second user terminal STA2, the first user terminal STA1 and the second user terminal STA2 encrypt switching equipment ESW-B and can receive the first user terminal STA1 and the second user terminal STA2 between the general intermediate equipment of packet; The said first user terminal STA1 sends neighbours and encrypts switching equipment selection request grouping to the second user terminal STA2; After the second user terminal STA2 received that the neighbours of first user terminal STA1 transmission encrypt switching equipment selection request grouping, the structure neighbours encrypted switching equipment selection respond packet and send to the first user terminal STA1; Key request packet is given and is encrypted switching equipment ESW-B between the said first user terminal STA1 dispatching station; Said encryption switching equipment ESW-B receives between the station that the first user terminal STA1 sends that after the key request packet, key announce packet sends to the second user terminal STA2 between the structure station; The said second user terminal STA2 receives and encrypts between the station that switching equipment ESW-B sends after the key announce packet that key announce response packet sends to and encrypts switching equipment ESW-B between the structure station; Said encryption switching equipment ESW-B receives between the station that the second user terminal STA2 sends that after the key announce response packet, key response grouping sends to the first user terminal STA1 between the structure station; The said first user terminal STA1 receives key response grouping between the station of encrypting switching equipment ESW-B transmission.
Advantage of the present invention is: secret communication method and system are under security network infrastructure between neighboring user terminals provided by the present invention; When carrying out secure communication between neighboring user terminals; Utilize neighbor switch devices total between them to set up key between the station for them; The secret transmission of key realization data between this station just can be directly used in follow-up communication, for secure communication between neighboring user terminals provides a kind of feasible mechanism.And in this method, need carry out not needing to carry out in twos identity between the neighboring user terminals of secure communication and differentiate, thereby reduce network burden.
Description of drawings
Fig. 1 is the operational diagram of secret signalling between neighboring user terminals provided by the present invention;
Fig. 2 is a method flow diagram of the present invention.
Embodiment
Between the given a kind of neighboring user terminals of the present invention in the secret communication method, define packet between two user terminals and can not pass through any one and encrypt switching equipment, then these two user terminals neighboring user terminals each other mutually.Packet between neighboring user terminals can pass through one or more hub or non-encrypted switching equipment, this hub or non-encrypted switching equipment is called the general intermediate equipment between neighboring user terminals here.
Referring to Fig. 1,2, STA1 representes first user terminal; STA2 representes second user terminal; ESW-B representes that the first user terminal STA1 and the total neighbours of the second user terminal STA2 encrypt switching equipment; CSW-A representes the general intermediate equipment between the first user terminal STA1 and the second user terminal STA2; The first user terminal STA1 and ESW-B are neighbours, have set up between them and have shared key K EY B-1The second user terminal STA2 and ESW-B are neighbours, have set up between them and have shared key K EY B-2The definition according to the present invention, the first user terminal STA1 and the second user terminal STA2 are neighboring user terminals.The data security communication process of initiating with the second user terminal STA2 with the first user terminal STA1 is that example describes, and secret communication method comprises following process between the given a kind of neighboring user terminals of the present invention:
1) neighbours encrypt the switching equipment selection course;
Neighbours encrypt the switching equipment selection course and can realize through following steps:
1.1) the first user terminal STA1 sends " neighbours encrypt switching equipment and select request grouping M1 " and give the second user terminal STA2; Comprise among this grouping M1 that the neighbours of the first user terminal STA1 encrypt the information list of switching equipment;
1.2) after the second user terminal STA2 receives " neighbours encrypt switching equipment and select request grouping M1 "; The neighbours that check oneself encrypt the switching equipment tabulation; Select the total neighbours of and the first user terminal STA1 to encrypt switching equipment, structure " neighbours encrypt switching equipment and select respond packet M2 " sends to the first user terminal STA1; The information of encrypting switching equipment with the total neighbours of the first user terminal STA1 that comprises among this grouping M2 that the second user terminal STA2 selects;
1.3) after the first user terminal STA1 receives " neighbours encrypt switching equipment and select respond packet M2 ", the information of encrypting switching equipment with the own neighbours that have of extracting that the second user terminal STA2 selects;
In the specific implementation; Said process 1) neighbours encrypt the negotiation of the security parameter external members such as AES that adopted in the time of can also realizing secure communication between the first user terminal STA1 and the second user terminal STA2 in the switching equipment selection course; Concrete grammar is: first user terminal STA1 structure " neighbours encrypt switching equipment and select request grouping M1 " also comprises the security parameter external member list field such as AES that the first user terminal STA1 supports, also comprises one the second security parameter external member field such as AES that user terminal STA2 also supports that the second user terminal STA2 selects in " neighbours encrypt switching equipment and select respond packet M2 " of second user terminal STA2 structure from security parameter external members such as the AES tabulation that the first user terminal STA1 supports accordingly.Pass through said method; The negotiation of the security parameter external members such as AES that adopted in the time of just can realizing between the first user terminal STA1 and the second user terminal STA2 secure communication; The follow-up first user terminal STA1 and the second user terminal STA2 are behind key between the foundation station, and the data security communication stage uses and consults definite security parameter external members such as AES.
2) stand between key set up process;
With the first user terminal STA1 and the second user terminal STA2 through 1) to encrypt that the switching equipment selection course selects to encrypt switching equipment ESW-B be that example describes to neighbours, key is set up process and can be realized through following steps between standing:
2.1) first user terminal STA1 transmission " key request packet M3 between standing " is to encrypting switching equipment ESW-B, key between the station between foundation and the STA2 is assisted in request; The identification information that comprises the second user terminal STA2 among this grouping M3;
2.2) encrypt switching equipment ESW-B and receive " key request packet M3 between standing " after, generate a random number as key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2, structure " key announce packet M4 between standing " sends to the second user terminal STA2; Comprise the identification information of the first user terminal STA1 among this grouping M4 and with the shared key K EY that encrypts between the switching equipment ESW-B and the second user terminal STA2 B-2The STAKey that protects 1-2The enciphered message field;
2.3) after the second user terminal STA2 receives " key announce packet M4 between standing ", utilize it and encrypt the key K EY between the switching equipment ESW-B B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the first user terminal STA1 between the station between key; Structure " key announce response packet M5 between standing " sends to and encrypts switching equipment ESW-B then;
2.4) encrypt switching equipment ESW-B and receive " key announce response packet M5 between standing " after; Learn that the second user terminal STA2 has received and the first user terminal STA1 between the station between key information, structure " key response grouping M6 between standing " sends to the first user terminal STA1; Comprise the identification information of the second user terminal STA2 among this grouping M6 and with the shared key K EY that encrypts between the switching equipment ESW-B and the first user terminal STA1 B-1The STAKey that protects 1-2The enciphered message field;
2.5) after the first user terminal STA1 receives " key response grouping M6 between standing ", utilize it and encrypt the key K EY between the switching equipment ESW-B B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and the second user terminal STA2 between the station between key.
In the specific implementation; Said process 2) stand between key set up in the process each and be grouped into the integrality that guarantees blocking message; Can in grouping, carry message integrity identifying code MIC field, the structure side of this field grouping capable of using and the shared key between the recipient are to other fields calculate through hash function except that the MIC field in dividing into groups Hash Value.Accordingly, the recipient of grouping verifies at first whether MIC is correct after receiving grouping, if correctly then carry out above-mentioned message processing procedure, otherwise just abandons this grouping;
In the specific implementation; Said process 2) stand between the key negotiation of setting up the security parameter external members such as AES that adopted in the time of also can realizing secure communication between the first user terminal STA1 and the second user terminal STA2 in the process; Concrete grammar is: first user terminal STA1 structure " key request packet M3 between standing " also comprises the security parameter external member list field such as AES that the first user terminal STA1 supports, encrypts accordingly among " the key announce packet M4 between standing " of switching equipment ESW-B structure also to comprise the security parameter external member list field such as AES that the first user terminal STA1 supports; Also comprise one the second security parameter external member field such as AES that user terminal STA2 also supports that the second user terminal STA2 selects in " the key announce response packet M5 between standing " of second user terminal STA2 structure from security parameter external members such as the AES tabulation that the first user terminal STA1 supports; Also comprise the security parameter external member fields such as AES that the second user terminal STA2 selects in " the key announce response packet M5 between standing " of encryption switching equipment ESW-B structure.Pass through said method; The negotiation of the security parameter external members such as AES that adopted in the time of just can realizing between the first user terminal STA1 and the second user terminal STA2 secure communication; The follow-up first user terminal STA1 and the second user terminal STA2 are behind key between the foundation station, and the data security communication stage uses and consults definite security parameter external members such as AES.
3) data security communication process;
Through said process 2) stand between key set up process and set up key STAKey between the station between the first user terminal STA1 and the second user terminal STA2 1-2After, just can utilize between the first user terminal STA1 and the second user terminal STA2 that key carries out data security communication between this station.The data that send to the second user terminal STA2 from the first user terminal STA1 are utilized STAKey by the first user terminal STA1 1-2Encrypt transmission, utilize STAKey after the second user terminal STA2 receives 1-2Decipher; Accordingly, the data that send to the first user terminal STA1 from the second user terminal STA2 are utilized STAKey by the second user terminal STA2 1-2Encrypt transmission, utilize STAKey after the first user terminal STA1 receives 1-2Decipher.
Between a kind of neighboring user terminals secret signalling comprise neighbours' each other the total neighbours of user terminal STA1, STA2, the first user terminal STA1 and the second user terminal STA2 encrypt switching equipment ESW-B and can receive the first user terminal STA1 and the second user terminal STA2 between the general intermediate equipment of packet.Wherein the first user terminal STA1 sends " neighbours encrypt switching equipment and select request grouping M1 " and gives the second user terminal STA2; Receive " neighbours encrypt switching equipment and select respond packet M2 " that the second user terminal STA2 sends; Send " key request packet M3 between standing " and give ESW-B; Receive " key request respond packet M4 between standing " that ESW-B sends, the packet that sends to the second user terminal STA2 is used key STAKey between the station 1-2Send to the second user terminal STA2 after the encryption, the packet that receives from the second user terminal STA2 is used STAKey 1-2Deciphering; The second user terminal STA2 receives " neighbours encrypt switching equipment and select request grouping M1 " that the first user terminal STA1 sends; Send " neighbours encrypt switching equipment and select respond packet M2 " and give the first user terminal STA1; Receive " key announce packet M4 between standing " that ESW-B sends; Send " key announce response packet M5 between standing " and give ESW-B, the packet that sends to the first user terminal STA1 is used key STAKey between the station 1-2Send to the first user terminal STA1 after the encryption, the packet that receives from the first user terminal STA1 is used STAKey 1-2Deciphering; The total neighbours of the first user terminal STA1 and the second user terminal STA2 encrypt switching equipment ESW-B and receive " the key request packet M3 between standing " that the first user terminal STA1 sends; Send " key announce packet M4 between standing " and give the second user terminal STA2; Receive " key announce response packet M5 between standing " that the second user terminal STA2 sends, send " key response grouping M6 between standing " and give the first user terminal STA1; General intermediate equipment is hub or the switching equipment of not supporting encryption mechanism, and general intermediate equipment is directly carried out the transparent transmission forwarding for protocol data between the first user terminal STA1 and the second user terminal STA2 and encrypted packets.
Between a kind of neighboring user terminals in the secret signalling general intermediate equipment can be one, also can be a plurality of.

Claims (6)

1. secret communication method between a neighboring user terminals, it is characterized in that: this method may further comprise the steps:
1) select neighbours to encrypt switching equipment;
First user terminal (STA1) sends neighbours and encrypts switching equipment selection request grouping (M1) to second user terminal (STA2); Said neighbours encrypt switching equipment and select to comprise that the neighbours of first user terminal (STA1) encrypt the information list of switching equipment in the request grouping;
After second user terminal (STA2) receives that the neighbours of first user terminal (STA1) transmission encrypt switching equipment selection request grouping (M1); The neighbours that check second user terminal (STA2) encrypt the switching equipment tabulation; Select one and the total neighbours of first user terminal (STA1) to encrypt switching equipment, the structure neighbours encrypt switching equipment and select respond packet (M2) to send to first user terminal (STA1); Said neighbours encrypt the information that switching equipment selects to comprise in the respond packet (M2) that second user terminal (STA2) selects encrypts switching equipment with the total neighbours of first user terminal (STA1);
After first user terminal (STA1) receives that the neighbours of second user terminal (STA2) transmission encrypt switching equipment selection respond packet (M2), extract the information that neighbours that second user terminal (STA2) is selected and that oneself is total encrypt switching equipment;
2) set up key between the station;
Key request packet (M3) is given and is encrypted switching equipment (ESW-B) between first user terminal (STA1) dispatching station, and key between the station between foundation and second user terminal (STA2) is assisted in request; The identification information that comprises second user terminal (STA2) in the key request packet between said station (M3);
Encrypt between the station that switching equipment (ESW-B) receives that first user terminal (STA1) sends after the key request packet (M3), generate a random number as key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) 1-2, key announce packet (M4) sends to second user terminal (STA2) between the structure station; Comprise the identification information of first user terminal (STA1) in the key announce packet between said station (M4) and with the shared key K EY that encrypts between switching equipment (ESW-B) and second user terminal (STA2) B-2The STAKey that protects 1-2The enciphered message field;
Second user terminal (STA2) receives and encrypts between the station that switching equipment (ESW-B) sends after the key announce packet (M4), utilizes the key K EY between second user terminal (STA2) and the encryption switching equipment (ESW-B) B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and first user terminal (STA1) between the station between key; Key announce response packet (M5) sends to and encrypts switching equipment (ESW-B) between the structure station then; The identification information that comprises first user terminal (STA1) in the key announce response packet between said station (M5);
Encrypt between the station that switching equipment (ESW-B) receives that second user terminal (STA2) sends after the key announce response packet (M5); Learn that second user terminal (STA2) has been received and first user terminal (STA1) between the station between key information, key response grouping (M6) sends to first user terminal (STA1) between the structure station; Comprise the identification information of second user terminal (STA2) in the key response grouping between said station (M6) and with the shared key K EY that encrypts between switching equipment (ESW-B) and first user terminal (STA1) B-1The STAKey that protects 1-2The enciphered message field;
First user terminal (STA1) receives and encrypts between the station that switching equipment (ESW-B) sends after the key response grouping (M6), utilizes the key K EY between first user terminal (STA1) and the encryption switching equipment (ESW-B) B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and second user terminal (STA2) between the station between key;
3) carry out data security communication;
Through step 2) stand between key set up process and set up key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) 1-2After, just can utilize between first user terminal (STA1) and second user terminal (STA2) that key carries out data security communication between this station: the data that send to second user terminal (STA2) from first user terminal (STA1) are utilized STAKey by first user terminal (STA1) 1-2Encrypt transmission, utilize STAKey after second user terminal (STA2) is received 1-2Decipher; The data that send to first user terminal (STA1) from second user terminal (STA2) are utilized STAKey by second user terminal (STA2) 1-2Encrypt transmission, utilize STAKey after first user terminal (STA1) is received 1-2Decipher;
Wherein the packet between two user terminals can not pass through any one and encrypt switching equipment, then these two user terminals neighboring user terminals each other mutually.
2. secret communication method between neighboring user terminals according to claim 1 is characterized in that: the concrete implementation of said step 1) replaces with:
First user terminal (STA1) sends neighbours and encrypts switching equipment selection request grouping (M1) to second user terminal (STA2); Said neighbours encrypt switching equipment and select request to divide into groups to comprise that the neighbours of first user terminal (STA1) encrypt the information list field of switching equipment and the AES security parameter external member list field that first user terminal (STA1) is supported in (M1);
After second user terminal (STA2) receives that the neighbours of first user terminal (STA1) transmission encrypt switching equipment selection request grouping (M1); Encrypt the AES security parameter external member list field of switching equipment list information field and first user terminal (STA1) support according to the neighbours of first user terminal (STA1) in dividing into groups; Select one and the total neighbours of first user terminal (STA1) to encrypt the AES security parameter external member that switching equipment and and first user terminal (STA1) are all supported, the structure neighbours encrypt switching equipment and select respond packet (M2) to send to first user terminal (STA1); Said neighbours encrypt switching equipment and select to comprise in the respond packet (M2) that second user terminal (STA2) selects and the total neighbours of first user terminal (STA1) encrypt the security parameter external member fields such as AES that the information of switching equipment and one second user terminal (STA2) that second user terminal (STA2) is selected are also supported from the AES security parameter external member tabulation that first user terminal (STA1) is supported;
After first user terminal (STA1) received that the neighbours of second user terminal (STA2) transmission encrypt switching equipment selection respond packet (M2), the neighbours with oneself having that extract second user terminal (STA2) selection encrypted the information of switching equipment and the AES security parameter external member that second user terminal (STA2) selection both sides all support.
3. secret communication method between neighboring user terminals according to claim 1 and 2 is characterized in that: said step 2) specifically implementation replaces with:
Key request packet (M3) is given and is encrypted switching equipment (ESW-B) between first user terminal (STA1) dispatching station, and key between the station between foundation and second user terminal (STA2) is assisted in request; The identification information and the message integrity identifying code MIC1 field that comprise second user terminal (STA2) in the key request packet between said station (M3), said message integrity identifying code MIC1 field are that first user terminal (STA1) utilizes and encrypt the shared key K EY between the switching equipment (ESW-B) B-1To the Hash Value that other fields calculate through hash function except that the MIC1 field in dividing into groups;
Encrypt between the station that switching equipment (ESW-B) receives that first user terminal (STA1) sends after the key request packet (M3); Verify at first whether message integrity identifying code MIC1 field is correct; If it is incorrect; Then abandon this grouping,, then generate a random number as key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) if correct 1-2, key announce packet (M4) sends to second user terminal (STA2) between the structure station; Comprise the identification information of first user terminal (STA1) in the key announce packet between said station (M4) and with the shared key K EY that encrypts between switching equipment (ESW-B) and second user terminal (STA2) B-2The STAKey that protects 1-2Enciphered message field and message integrity identifying code MIC2 field; Said message integrity identifying code MIC2 field is the shared key K EY that encrypts between switching equipment (ESW-B) utilization and second user terminal (STA2) B-2To the Hash Value that other fields calculate through hash function except that the MIC2 field in dividing into groups;
Second user terminal (STA2) is received and is encrypted between the station that switching equipment ESW-B sends after the key announce packet (M4) verify at first whether message integrity identifying code MIC2 field is correct, if incorrect, then abandons this grouping; If correct, then utilize second user terminal (STA2) and encrypt the key K EY between the switching equipment (ESW-B) B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and first user terminal (STA1) between the station between key; Key announce response packet (M5) sends to and encrypts switching equipment (ESW-B) between the structure station then; The identification information and the message integrity identifying code MIC3 field that comprise first user terminal (STA1) in the key announce response packet between said station (M5); Said message integrity identifying code MIC3 field is that second user terminal (STA2) utilizes and encrypt the shared key K EY between the switching equipment (ESW-B) B-2To the Hash Value that other fields calculate through hash function except that the MIC3 field in dividing into groups;
Encrypt between the station that switching equipment (ESW-B) receives that second user terminal (STA2) sends after the key announce response packet (M5), verify at first whether message integrity identifying code MIC3 field is correct,, then abandon this grouping if incorrect; If correct, learn then that second user terminal (STA2) has been received and first user terminal (STA1) between the station between key information, key response grouping (M6) sends to first user terminal (STA1) between the structure station; Comprise the identification information of second user terminal (STA2) in the key response grouping between said station (M6) and with the shared key K EY that encrypts between switching equipment (ESW-B) and first user terminal (STA1) B-1The STAKey that protects 1-2Enciphered message field and message integrity identifying code MIC4 field; Said message integrity identifying code MIC4 field is the shared key K EY that encrypts between switching equipment (ESW-B) utilization and first user terminal (STA1) B-1To the Hash Value that other fields calculate through hash function except that the MIC4 field in dividing into groups;
First user terminal (STA1) is received and is encrypted between the station that switching equipment (ESW-B) sends after the key response grouping (M6) verify at first whether message integrity identifying code MIC4 field is correct, if incorrect, then abandons this grouping; If correct, then utilize first user terminal (STA1) and encrypt the key K EY between the switching equipment (ESW-B) B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and second user terminal (STA2) between the station between key.
4. secret communication method between neighboring user terminals according to claim 1 is characterized in that: concrete implementation said step 2) replaces with:
Key request packet (M3) is given and is encrypted switching equipment (ESW-B) between first user terminal (STA1) dispatching station, and key between the station between foundation and second user terminal (STA2) is assisted in request; Comprise the identification information of second user terminal (STA2) and the AES security parameter external member list field that first user terminal (STA1) is supported in the key request packet between said station (M3);
Encrypt between the station that switching equipment (ESW-B) receives that first user terminal (STA1) sends after the key request packet (M3), generate a random number as key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) 1-2, key announce packet (M4) sends to second user terminal (STA2) between the structure station; Comprise the identification information of first user terminal (STA1) in the key announce packet between said station (M4) and with the shared key K EY that encrypts between switching equipment (ESW-B) and second user terminal (STA2) B-2The STAKey that protects 1-2The AES security parameter external member list field supported of enciphered message field and first user terminal (STA1);
Second user terminal (STA2) receives and encrypts between the station that switching equipment (ESW-B) sends after the key announce packet (M4), utilizes the key K EY between second user terminal (STA2) and the encryption switching equipment (ESW-B) B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and first user terminal (STA1) between the station between key; Key announce response packet (M5) sends to and encrypts switching equipment (ESW-B) between the structure station then; Key announce response packet between said station (M5) comprises the AES security parameter external member field that the identification information of first user terminal (STA1) and one second user terminal (STA2) that second user terminal (STA2) is selected are also supported from the AES security parameter external member tabulation that first user terminal (STA1) is supported;
Encrypt between the station that switching equipment (ESW-B) receives that second user terminal (STA2) sends after the key announce response packet (M5); Learn that second user terminal (STA2) has been received and first user terminal (STA1) between the station between key information, key response grouping (M6) sends to first user terminal (STA1) between the structure station; Comprise the identification information of second user terminal (STA2) in the key response grouping between said station (M6) and with the shared key K EY that encrypts between switching equipment ESW-B and first user terminal (STA1) B-1The STAKey that protects 1-2The AES security parameter external member field selected of enciphered message and second user terminal (STA2);
First user terminal (STA1) receives and encrypts between the station that switching equipment (ESW-B) sends after the key response grouping (M6), utilizes the key K EY between first user terminal (STA1) and the encryption switching equipment (ESW-B) B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and second user terminal (STA2) between the station between key.
5. secret communication method between neighboring user terminals according to claim 4 is characterized in that: concrete implementation said step 2) replaces with:
Key request packet (M3) is given and is encrypted switching equipment (ESW-B) between first user terminal (STA1) dispatching station, and key between the station between foundation and second user terminal (STA2) is assisted in request; The AES security parameter external member list field that comprises identification information, message integrity identifying code MIC1 field and first user terminal (STA1) support of second user terminal (STA2) in the key request packet between said station (M3); Said message integrity identifying code MIC1 field is that first user terminal (STA1) utilizes and encrypt the shared key K EY between the switching equipment (ESW-B) B-1To the Hash Value that other fields calculate through hash function except that the MIC1 field in dividing into groups;
Encrypt between the station that switching equipment (ESW-B) receives that first user terminal (STA1) sends after the key request packet (M3), verify at first whether message integrity identifying code MIC1 field is correct,, then abandon this grouping if incorrect; If correct, then generate a random number as key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) 1-2, key announce packet (M4) sends to second user terminal (STA2) between the structure station; Comprise the identification information of first user terminal (STA1) in the key announce packet between said station (M4) and with the shared key K EY that encrypts between switching equipment (ESW-B) and second user terminal (STA2) B-2The STAKey that protects 1-2The AES security parameter external member list field supported of enciphered message field, message integrity identifying code MIC2 field and first user terminal (STA1); Said message integrity identifying code MIC2 field is the shared key K EY that encrypts between switching equipment (ESW-B) utilization and second user terminal (STA2) B-2To the Hash Value that other fields calculate through hash function except that the MIC2 field in dividing into groups;
Second user terminal (STA2) is received and is encrypted between the station that switching equipment (ESW-B) sends after the key announce packet (M4) verify at first whether message integrity identifying code MIC2 field is correct, if incorrect, then abandons this grouping; If correct, then utilize second user terminal (STA2) and encrypt the key K EY between the switching equipment (ESW-B) B-2Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and first user terminal (STA1) between the station between key; Key announce response packet (M5) sends to and encrypts switching equipment (ESW-B) between the structure station then; Key announce response packet between said station (M5) comprises AES security parameter external member field and the message integrity identifying code MIC3 field that one second user terminal (STA2) that the identification information, second user terminal (STA2) of first user terminal (STA1) are selected is also supported from the AES security parameter external member tabulation that first user terminal (STA1) is supported; Said message integrity identifying code MIC3 field is that second user terminal (STA2) utilizes and encrypt the shared key K EY between the switching equipment (ESW-B) B-2To the Hash Value that other fields calculate through hash function except that the MIC3 field in dividing into groups;
Encrypt between the station that switching equipment ESW-B receives that second user terminal (STA2) sends after the key announce response packet (M5), verify at first whether message integrity identifying code MIC3 field is correct,, then abandon this grouping if incorrect; If correct, learn then that second user terminal (STA2) has been received and first user terminal (STA1) between the station between key information, key response grouping (M6) sends to first user terminal (STA1) between the structure station; Comprise the identification information of second user terminal (STA2) in the key response grouping between said station (M6) and with the shared key K EY that encrypts between switching equipment (ESW-B) and first user terminal (STA1) B-1The STAKey that protects 1-2Enciphered message field, second user terminal (STA2) AES security parameter external member field and the message integrity identifying code MIC4 field selected; Said message integrity identifying code MIC4 field is the shared key K EY that encrypts between switching equipment (ESW-B) utilization and first user terminal (STA1) B-1To the Hash Value that other fields calculate through hash function except that the MIC4 field in dividing into groups;
First user terminal (STA1) is received and is encrypted between the station that switching equipment (ESW-B) sends after the key response grouping (M6) verify at first whether message integrity identifying code MIC4 field is correct, if incorrect, then abandons this grouping; If correct, then utilize first user terminal (STA1) and encrypt the key K EY between the switching equipment (ESW-B) B-1Deciphering STAKey 1-2The enciphered message field obtain STAKey 1-2Information, promptly obtain and second user terminal (STA2) between the station between key.
6. secret signalling between a neighboring user terminals is characterized in that: said system comprise neighbours' each other first user terminal (STA1) and second user terminal (STA2), first user terminal (STA1) and the total neighbours of second user terminal (STA2) encrypt switching equipment (ESW-B) and can receive first user terminal (STA1) and second user terminal (STA2) between the general intermediate equipment of packet; Said first user terminal (STA1) sends neighbours and encrypts switching equipment selection request grouping (M1) to second user terminal (STA2); After second user terminal (STA2) received that the neighbours of first user terminal (STA1) transmission encrypt switching equipment selection request grouping (M1), the structure neighbours encrypted switching equipment selection respond packet (M2) and send to first user terminal (STA1); Key request packet (M3) is given and is encrypted switching equipment (ESW-B) between said first user terminal (STA1) dispatching station; Said encryption switching equipment (ESW-B) receives between the station that first user terminal (STA1) sends that after the key request packet (M3), key announce packet (M4) sends to second user terminal (STA2) between the structure station; Said second user terminal (STA2) receives and encrypts between the station that switching equipment (ESW-B) sends after the key announce packet (M4) that key announce response packet (M5) sends to and encrypts switching equipment (ESW-B) between the structure station; Said encryption switching equipment (ESW-B) receives between the station that second user terminal (STA2) sends that after the key announce response packet (M5), key response grouping (M6) sends to first user terminal (STA1) between the structure station; Said first user terminal (STA1) receives key response grouping (M6) between the station of encrypting switching equipment (ESW-B) transmission;
Said neighbours encrypt switching equipment and select request to divide into groups to comprise that the neighbours of first user terminal (STA1) encrypt the information list of switching equipment in (M1);
Said neighbours encrypt the information that switching equipment selects to comprise in the respond packet (M2) that second user terminal (STA2) selects encrypts switching equipment with the total neighbours of first user terminal (STA1);
The identification information that comprises second user terminal (STA2) in the key request packet between said station (M3);
Said encryption switching equipment (ESW-B) is received between the station that first user terminal (STA1) sends and to be generated a random number as key STAKey between the station between first user terminal (STA1) and second user terminal (STA2) after the key request packet (M3) 1-2
Comprise the identification information of first user terminal (STA1) in the key announce packet between said station (M4) and with the shared key K EY that encrypts between switching equipment (ESW-B) and second user terminal (STA2) B-2The STAKey that protects 1-2The enciphered message field;
The identification information that comprises first user terminal (STA1) in the key announce response packet between said station (M5);
Comprise the identification information of second user terminal (STA2) in the key response grouping between said station (M6) and with the shared key K EY that encrypts between switching equipment (ESW-B) and first user terminal (STA1) B-1The STAKey that protects 1-2The enciphered message field;
Key STAKey1-2 carried out data security communication between utilization was stood between first user terminal (STA1) and second user terminal (STA2);
Wherein, the packet between two user terminals can not pass through any one and encrypt switching equipment, then these two user terminals neighboring user terminals each other mutually;
Wherein, the packet between neighboring user terminals can pass through one or more hub or non-encrypted switching equipment, and then said hub or non-encrypted switching equipment are called the general intermediate equipment between neighboring user terminals.
CN2010102519965A 2010-08-12 2010-08-12 Secret communication method and system among neighboring user terminals Active CN101917272B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN2010102519965A CN101917272B (en) 2010-08-12 2010-08-12 Secret communication method and system among neighboring user terminals
PCT/CN2011/073367 WO2012019466A1 (en) 2010-08-12 2011-04-27 Secret communication method, terminal, switching equipment and system between neighboring user terminals
EP11816025.8A EP2605447B1 (en) 2010-08-12 2011-04-27 Secret communication method, terminal, switching equipment and system between neighboring user terminals
US13/814,899 US8850190B2 (en) 2010-08-12 2011-04-27 Secret communication method and system between neighboring user terminals, terminal, switching equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010102519965A CN101917272B (en) 2010-08-12 2010-08-12 Secret communication method and system among neighboring user terminals

Publications (2)

Publication Number Publication Date
CN101917272A CN101917272A (en) 2010-12-15
CN101917272B true CN101917272B (en) 2012-07-18

Family

ID=43324670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010102519965A Active CN101917272B (en) 2010-08-12 2010-08-12 Secret communication method and system among neighboring user terminals

Country Status (4)

Country Link
US (1) US8850190B2 (en)
EP (1) EP2605447B1 (en)
CN (1) CN101917272B (en)
WO (1) WO2012019466A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106162618A (en) * 2015-04-23 2016-11-23 中兴通讯股份有限公司 Authentication method, device and the system of a kind of D2D business multicast

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917272B (en) 2010-08-12 2012-07-18 西安西电捷通无线网络通信股份有限公司 Secret communication method and system among neighboring user terminals
CN102130768B (en) * 2010-12-20 2012-11-07 西安西电捷通无线网络通信股份有限公司 Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof
CN104883677B (en) 2014-02-28 2018-09-18 阿里巴巴集团控股有限公司 A kind of communicated between near-field communication device connection method, device and system
CN105814837B (en) * 2014-11-19 2020-09-08 华为技术有限公司 Method, equipment and system for directionally counting flow
US11734458B2 (en) * 2019-02-26 2023-08-22 Intel Corporation Extensible layered trusted computing base for computing devices
US11652616B2 (en) 2020-02-26 2023-05-16 International Business Machines Corporation Initializing a local key manager for providing secure data transfer in a computing environment
US11502834B2 (en) 2020-02-26 2022-11-15 International Business Machines Corporation Refreshing keys in a computing environment that provides secure data transfer
US11546137B2 (en) * 2020-02-26 2023-01-03 International Business Machines Corporation Generation of a request to initiate a secure data transfer in a computing environment
US11405215B2 (en) 2020-02-26 2022-08-02 International Business Machines Corporation Generation of a secure key exchange authentication response in a computing environment
US11310036B2 (en) 2020-02-26 2022-04-19 International Business Machines Corporation Generation of a secure key exchange authentication request in a computing environment
US11489821B2 (en) 2020-02-26 2022-11-01 International Business Machines Corporation Processing a request to initiate a secure data transfer in a computing environment
US11184160B2 (en) 2020-02-26 2021-11-23 International Business Machines Corporation Channel key loading in a computing environment
CN112218171B (en) * 2020-09-15 2022-07-19 深圳数字电视国家工程实验室股份有限公司 Interface-based data transmission method, electronic device and storage medium
US11502830B2 (en) * 2020-10-12 2022-11-15 Kyndryl, Inc. Ultrasound split key transmission for enhanced security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system
CN101808286A (en) * 2010-03-16 2010-08-18 西安西电捷通无线网络通信股份有限公司 Multicast key agreement method and system for clustered system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1138367C (en) * 2001-09-17 2004-02-11 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
JP4551202B2 (en) * 2004-12-07 2010-09-22 株式会社日立製作所 Ad hoc network authentication method and wireless communication terminal thereof
FI20050384A0 (en) * 2005-04-14 2005-04-14 Nokia Corp Use of generic authentication architecture for distribution of Internet protocol keys in mobile terminals
US7936878B2 (en) * 2006-04-10 2011-05-03 Honeywell International Inc. Secure wireless instrumentation network system
CN101247642B (en) 2007-02-14 2012-12-19 华为技术有限公司 Safety neighbor discovering method, network appliance and mobile station
CN101741547B (en) * 2009-12-18 2012-05-23 西安西电捷通无线网络通信股份有限公司 Inter-node secret communication method and system
CN101741548B (en) 2009-12-18 2012-02-01 西安西电捷通无线网络通信股份有限公司 Method and system for establishing safe connection between switching equipment
CN101729249B (en) * 2009-12-21 2011-11-30 西安西电捷通无线网络通信股份有限公司 Building method of safe connection among user terminals and system thereof
CN101917272B (en) 2010-08-12 2012-07-18 西安西电捷通无线网络通信股份有限公司 Secret communication method and system among neighboring user terminals

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
CN101808286A (en) * 2010-03-16 2010-08-18 西安西电捷通无线网络通信股份有限公司 Multicast key agreement method and system for clustered system
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106162618A (en) * 2015-04-23 2016-11-23 中兴通讯股份有限公司 Authentication method, device and the system of a kind of D2D business multicast

Also Published As

Publication number Publication date
EP2605447B1 (en) 2020-07-22
EP2605447A1 (en) 2013-06-19
US20130159706A1 (en) 2013-06-20
US8850190B2 (en) 2014-09-30
WO2012019466A1 (en) 2012-02-16
EP2605447A4 (en) 2017-08-09
CN101917272A (en) 2010-12-15

Similar Documents

Publication Publication Date Title
CN101917272B (en) Secret communication method and system among neighboring user terminals
CN101729249B (en) Building method of safe connection among user terminals and system thereof
CN107317674A (en) Key distribution, authentication method, apparatus and system
CN102035845B (en) Switching equipment for supporting link layer secrecy transmission and data processing method thereof
CN103179558A (en) Method and system for cluster system implementing group calling encryption
CN101641935B (en) Power distribution system secure access communication system and method
CN101741547A (en) Inter-node secret communication method and system
CN101527908A (en) Method for pre-identifying wireless local area network terminal and wireless local area network system
CN108810890A (en) Anchor key generation method, equipment and system
CN102823282A (en) Key authentication method for binary CDMA
CN107211273A (en) It is related to and sets up the radio communication that FILS has found frame for the quick initial link circuit of network signal
CN101841413B (en) Creation method of end-to-end secure link and system
CN101741548B (en) Method and system for establishing safe connection between switching equipment
CN101854244A (en) Three-section type secure network architecture establishment and secret communication method and system
CN104883372A (en) Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network
CN101867930A (en) Rapid authentication method for wireless Mesh network backbone node switching
CN101841547B (en) Creation method of end-to-end shared key and system
Ouaissa et al. A New Scheme of Group-based AKA for Machine Type Communication over LTE Networks.
CN101834863B (en) Method and system for establishing secure connection between local area network nodes
Pawlowski et al. EAP for IoT: More Efficient Transport of Authentication Data--TEPANOM Case Study
CN101814987B (en) Method and system for establishing key between nodes
Rong et al. Wireless network security
CN101964708B (en) System and method for establishing session key between nodes
CN101834862B (en) Method and system for establishing safe connection between nodes
SM et al. IDENTITY BASED ATTACK DETECTION AND MANIFOLD ADVERSARIES LOCALIZATION IN WIRELESS NETWORKS.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant